gpfdists:// Protocol

gpfdists:// Protocol

The gpfdists:// protocol is a secure version of the gpfdist://
protocol. To use it, you run the gpfdist utility with the
--ssl option. When specified in a URI, the gpfdists://
protocol enables encrypted communication and secure identification of the file server and the
Greenplum Database to protect against attacks such as eavesdropping and
man-in-the-middle attacks.

gpfdists implements SSL security in a client/server scheme with the
following attributes and limitations:

Client certificates are required.

Multilingual certificates are not supported.

A Certificate Revocation List (CRL) is not supported.

The TLSv1 protocol is used with the
TLS_RSA_WITH_AES_128_CBC_SHA encryption algorithm.

SSL parameters cannot be changed.

SSL renegotiation is supported.

The SSL ignore host mismatch parameter is set to false.

Private keys containing a passphrase are not supported for the gpfdist
file server (server.key) and for the Greenplum Database (client.key).

Note: A
server started with the gpfdist --ssl option can only communicate with
the gpfdists protocol. A server that was started with
gpfdist without the --ssl option can only
communicate with the gpfdist protocol.

The client certificate file, client.crt

The client private key file, client.key

Use one of the following methods to invoke the gpfdists protocol.

Run gpfdist with the --ssl option and then use the
gpfdists protocol in the LOCATION clause of a
CREATE EXTERNAL TABLE statement.

Use a gpload YAML control file with the SSL option set
to true. Running gpload starts the gpfdist server with
the --ssl option, then uses the gpfdists protocol.

Using gpfdists requires that the following client certificates reside in the
$PGDATA/gpfdists directory on each segment.